Individual Client Message Count Alerting

burd · September 7, 2018, 6:41pm

Hello,
I have my DNS servers logging to Graylog. One use case I’d like to use Graylog for is to detect someone abusing the DNS servers. Lets say a broken client keeps banging away at the DNS or even DHCP servers. I would use the message count alert condition, but how would I alert on an individual client creating these messages? I guess the same would be true for switchport link flapping. Message count alert condition and some how identifying the individual client.

Any ideas?

Thanks!

derPhlipsi · September 10, 2018, 4:50am

Heyo @burd
There is a plugin for your usecase

Greetings,
Phlipp

burd · September 10, 2018, 12:29pm

Thnak you, I’ll check it out!

system · September 24, 2018, 12:40pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Send alert based on message content Graylog Central (peer support)	3	3020	October 10, 2017
Graylog 3.2 alerts Graylog Central (peer support)	2	382	March 25, 2020
Alert configuration, message count/grace period? Graylog Central (peer support)	3	667	February 3, 2020
GrayLog 5 and Alerts Graylog Central (peer support)	3	257	June 30, 2023
User logged on to multiple machines, alert Graylog Central (peer support)	2	341	October 24, 2017

Individual Client Message Count Alerting

Related Topics